Risk Update

Law Firm Cybersecurity Risk — Latest US Firm Data Breaches, UK Legal Sector Cyber Threat Report, Lawyer Email Encryption and Ethics

Kirkland & Ellis, K&L Gates, Proskauer Rose Affected in Wide-Ranging Data Hack” —

  • “The data of three Am Law 50 firms was accessed in a global data theft operation, according to the ransomware group claiming responsibility for the attack that has compromised the data of millions of individuals.”
  • “Kirkland & Ellis, K&L Gates and Proskauer Rose are among the latest organizations to be identified in the breach, finding themselves in the company of a growing list of more than 50 other global corporations and banks targeted by the ransomware group known as CL0P.”
  • “More than 16 million individuals have been affected by the breach, according to a tweet Friday by Brett Callow, a cybersecurity threat analyst at Emsisoft tracking the breach.”
  • “The group behind the attack, also known as TA505, reportedly began exploiting a vulnerability in file transfer software known as MOVEit, developed by Progress Software, in May, the U.S. Cybersecurity & Infrastructure Security Agency said in a post this month.”
  • “For Proskauer, the MOVEit breach isn’t the first compromise of internal information reported this year. The New York-based firm began investigating a data breach after large tranches of sensitive client information were found to be publicly accessible from its cloud-based site.”
  • “Proskauer said in April that a third-party vendor who was contracted to set up the cloud site on Microsoft Azure ‘misconfigured’ the site’s security, which left the client data on the site vulnerable to an unauthorized actor and anyone else with access to the internet.”

Law Firm Cyberattacks Grow, Putting Operations in Legal Peril” —

  • “Law firms that rake in dollars defending companies against cyberattack lawsuits are increasingly finding themselves targets, with five class actions filed so far this year alleging the legal operations failed to protect client data.”
  • “Bryan Cave Leighton Paisner and other firms facing suits represent a sweet spot for corporate cyberattackers because valuable data is stored there—from employee information such as health and financial data, to Social Security numbers, to patent specifications and merger and acquisition plans.”
  • “The five class action cases filed this year against Bryan Cave; Cadwalader, Wickersham & Taft; Smith, Gambrell & Russell; and two smaller firms—Cohen Cleary and Spear Wilderman—claim that they didn’t sufficiently guard against the possibility of cyberattacks. The suits against Cadwalader and Smith Gambrell were later dropped. “
  • “Other firms, such as Covington & Burling, are facing action from government regulators over divulging the extent to which clients have been harmed by cyberattacks. The Securities & Exchange Commission subpoenaed Covington in January over a 2020 cyber hack that may have resulted in client data being stolen.”
  • “Kevin Rosen, a Gibson, Dunn & Crutcher partner, said large law firms have sought him out in recent months about responding to the damage both they and clients may have suffered from cyberattacks and how to handle potential lawsuits.”
  • “Firms are ‘very much focused’ on allocating resources to combat the threat, Rosen said. They are in a unique situation, as they must defend their own internal data plus that of their clients, he said.”
  • “Law firms are among industries scrambling to keep up with an increasingly unsafe cyber landscape. The rate of global weekly cyberattacks rose by 7% in the first financial quarter of 2023 compared with the same period in 2022, according to an April report by cybersecurity firm Checkpoint Research.”

Cybersecurity Risk and Liability: Hot Button Issues for Lawyers” —

  • “It is worth noting at the outset that cybersecurity risk should be discussed with the client and disclosed in the engagement letter with the client. For example, the letter should explain in some degree the risks associated with cybersecurity in respect of the client’s confidential information, especially where highly sensitive client data is involved.”
  • “Even absent an actual data breach, law firms have been sued for alleged weaknesses in their information security systems. To illustrate, in Shore v. Johnson & Bell, No. 16-CV-4363, 2017 WL 714123, (N.D. Ill. 2017), an action seeking class arbitration was filed in 2016 against a Chicago-based law firm alleging that it put at risk the confidential information of its clients by using a computer time entry system recognized as particularly vulnerable to hacking, causing such information to be ‘unsecured and unprotected,’ despite there being no actual allegation of a security breach having occurred.”
  • “Although the court’s decision addressed the plaintiffs’ request for class arbitration, which the court denied, and did not resolve their claim that the security vulnerability left them under ‘a heightened risk of … injuries,’ the lawsuit was litigated for almost a year in court, undoubtedly resulting in cost, effort and potential reputational harm to the firm.”
  • “This case serves as a reminder that lawyers are obligated under Comment [8] to Rule 1.1 to keep abreast of the benefits and risks associated with technology lawyers use to provide services to clients or to store or transmit confidential information, and under Rule 1.6(c), to make reasonable efforts to prevent inadvertent or unauthorized disclosure or use of, or access to, such information.”
  • “…it is important to bear in mind that each of the fifty U.S. states has a data security breach notification law that requires the notification of affected individuals and, in certain instances state Attorneys General or agencies, of the unauthorized access to or use of certain types of personal information.”
  • “With rapidly evolving technology and sweeping developments in data security and in privacy laws and regulations, lawyers and law firms need to be acutely aware of the risks associated with cybersecurity. Alongside those concerns, attorneys must observe their ethical duties under the Rules, as well as their legal obligations under data protection laws and applicable regulatory regimes.”

Andrew Powell, CIO of Macfarlanes notes: “The UK Cyber Threat Report – ‘If you only read one cyber report this year, read this one’” —

  • “The National Cyber Security Centre (NCSC) released a Cyber Threat Report on Thursday 22 June, focused on the UK Legal Sector. At the launch event at NCSC’s London offices on Thursday, CEO Lindy Cameron took the opportunity to highlight the range of threats faced by the UK legal sector, from criminals seeking financial gain through ransomware, to nation states looking for the upper hand through theft of IP. The report looks to help UK law practices of all sizes to be more resilient to the main methods of attack.”
  • Much has changed in the world since the report was last published in 2018, though many of the cyber risks identified in the report are depressingly familiar. The 2023 version benefits from input from the NCSC (including its i100 industry programme that includes CISO’s co-opted from several law firms), Action Fraud, the NCA, and also what NCSC refers to as its amplification partners: the Bar Council, Law Society and SRA.”
  • “The report pulls together research, information and guidance from numerous sources and is an excellent resource for raising awareness of the specific cyber risks facing law firms, and what to do about them. Essential reading for every law firm’s (and chambers) executive team and IT professionals. If you only read one cyber related report this year, read this one.”
  • Click here to access the pdf of the report.

Ethical Considerations for Lawyers Regarding Email Encryption” —

  • “For example: When should lawyers use encryption to secure emails or other electronic communications with clients? What discussions should lawyers have with their clients about sharing communications and files? And are there better alternatives to emailing clients when privacy and security are paramount?”
  • “Most recently, the Pennsylvania Bar Association’s Formal Opinion 2022-400 comes short of mandating that lawyers use encrypted email, but provides guidance on what lawyers may and must do when transmitting client information, discusses the applicable Rules of Professional Conduct, and offers various practice tips on the topic. Also, it includes a helpful appendix of related opinions from other states.”
  • “Several of the Illinois Rules of Professional Conduct are relevant to email encryption for lawyers as they can be applied to safeguarding client information, including Competence (Rule 1.1, Comment 8), Communication (Rule 1.4), Confidentiality of Information (Rule 1.6), and Supervision (Rules 5.1 and 5.3).”
  • “Lawyers must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, client information. This may require using encryption, passwords, or other security measures when sending or storing email messages or attachments.”
  • “Lawyers must also be aware of the risks of sending emails to or from public or shared computers, networks, or devices, and take appropriate precautions to avoid unauthorized access or interception.”
  • “Lawyers should have an expectation-setting discussion with clients as to their preferred method of communication and the degree of sensitivity of the information related to their representation, including the use of email and text messages.”
  • “Lawyers must ensure that the people under their supervision comply with the ethical rules and standards when using email as a means of communication.”
  • “The Pennsylvania Bar’s Formal Opinion 2022-400 also recommends the following practices for email security.”